Skip to main content

Authentication

Every programmatic call uses an organization API key. Sign up at kallglot.com, open the Developer Portal, and create keys per environment (sk_live_* vs sk_test_*).

API Keys

Every API key belongs to a single organization.

Key Types

Why calls fail (401, 402, 403)

Typical gate checks: unknown or revoked keys, wrong live/test environment, inactive subscription, or exhausted API credits. See Errors when wiring retries.
Never expose your API keys in client-side code. Use API keys only in trusted server-side environments. Browser and mobile clients should connect with short-lived session stream tokens created by your backend.

Making Authenticated Requests

Use the Authorization header with a Bearer token:

Request Headers

WebSocket Authentication

WebSocket connections use the session stream token returned by POST /v1/sessions, not your API key.
That JSON body is WebSocket-only (no PSTN leg). For Twilio, Telnyx, or SIP, add routing on POST /v1/sessions as documented in Create Session—do not use a nested provider object.

Token Expiration

Stream tokens expire after 5 minutes. The stream.expires_at field tells you exactly when the token expires. Token expiry is checked only when the WebSocket connects, so an already-connected stream stays active after that point.

API Key Permissions

API keys can be scoped to the smallest permission set your application needs: New keys are created with the full standard scope set listed above so integrations work out of the box; prefer the smallest viable set whenever you can customize scopes.

Response Headers

Authenticated HTTP responses may include these headers: For billable write requests, the credit headers reflect the post-request balance when the request succeeds.

Authentication And Billing Errors

Examples: POST /v1/sessions needs sessions:write. A key missing that scope receives 403 even when credits are available (402).

Security Best Practices

Create new API keys periodically and revoke old ones to reduce exposure if a key is leaked.
Store API keys in environment variables or a secret manager, never in source control.
Live keys should only be used against the live API environment. Test keys should only be used in test or sandbox environments.
Watch the Developer Portal for unusual API activity, rate-limit pressure, and low API-credit balances.
If a key may have been exposed, revoke it immediately and replace it with a new scoped key.
See Error Codes for the full error catalog and Rate Limits for throughput limits and retry guidance.